When the database server or libpq client library initializes SSL, libeay32.dll attempts to read configuration from a hard-coded directory. Typically, the directory does not exist, but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client.
Most PostgreSQL client tools and libraries use libpq, and one can encounter this vulnerability by using any of them. This vulnerability is much like CVE-2019-5443, but it originated independently. One can work around the vulnerability by setting environment variable OPENSSL_CONF to "NUL:/openssl.cnf" or any other name that cannot exist as a file.
The PostgreSQL project thanks Daniel Gustafsson of the curl security team for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 11 | 11.5 | 2019-08-08 |
| 10 | 10.10 | 2019-08-08 |
| 9.6 | 9.6.15 | 2019-08-08 |
| 9.5 | 9.5.19 | 2019-08-08 |
| 9.4 | 9.4.24 | 2019-08-08 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 7.8 |
|---|---|
| Component | packaging |
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.